Bob,
I implemented the importing and exporting of private key from PKCS#8
file using NSS API.
Here is what I found based on my testing :
Using Mozilla NSS API, I can only import/export private key in PKCS#8
format with
"PKCS12 V2 PBE With SHA1 And 3KEY Triple DES-cbc" encryption algorithm.
I would like to support other encryption algorithms supported by OpenSSL.
Using NSS-API, I can import private key from OpenSSL generated PEM file
(openssl rsa ...) with
DES-EDE3-CBC (-des3 option) encryption only.
But, I cannot read the private key from Mozilla NSS API generated PEM
file using the OpenSSL API
because NSS uses 16 byte salt for encryption but the OpenSSL API expects
8 byte salt.
--
Subrata
Robert Relyea wrote:
> Subrata Mazumdar wrote:
>> Nelson,
>> thanks very much for the clear answer - I did not realize that the
>> Mozilla NSS does not support PKCS#8.
>> I also agree with you that PKCS#12 format is the right way to
>> import/export keys.
>> The problem is that a large number of OpenSSL based applications
>> still use separate files
>> for private key and public key cert. Actually, the problem is even
>> worse - some of the applications
>> use unencrypted private key or OpenSSL specific encrypted PEM file
>> (generated using 'openssl rsa' command).
>> Any way, thanks once again.
>>
> I believe Elio has some sample code that can import and export
> *wrapped* PKCS #8 keys stored in Pem format. Unwrapped keys are not
> considered safe. To support them you would need to manually
> encrypt/decrypt the wrapped keys. NSS does not have an interface to
> release unencrypted keys and applications are strongly discouraged
> from using them. Even openssl prefers encrypted to unencrypted keys.
>
> bob
>> --
>> Subrata
>>
>> Nelson Bolyard wrote:
>>
>>> Subrata Mazumdar wrote, On 2008-09-26 07:19:
>>>
>>>> Hi,
>>>> I am having problem in reading PKCS#8 file generated by OpenSSL
>>>> command line tool ("opnessl pkcs8").
>>>>
>>> Officially, import and export of pkcs#8 files is not supported in NSS.
>>> You may or may not be able to get it to work, but because of the
>>> security concerns of PKCS#8 files, NSS does not support them.
>>>
>>> PKCS#12 is the supported way to import or export private keys and their
>>> related certificates. If you have a problem with PKCS#12, you can get
>>> support from the NSS team.
>>>
>>> PKCS#12 is the one universally implemented private key transport
>>> method.
>>> OpenSSL also supports PKCS#12, and so does Windows.
>>>
>> _______________________________________________
>> dev-tech-crypto mailing list
>> [email protected]
>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>
>
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
